- The assumption is the signature will be verified during firmware update by the scope using the corresponding public key stored in the previous firmware. A copy of the public key is also shipped in the firmware update (a copy is attached). Technically, every time the firmware is updated, a new public key can be shipped for the next firmware update. Signing the firmware update package prevents the firmware files from being altered.
Correct BUT
they usually keep always the same key because, if you would change key from package to package, when doing an update an user would be forced to execute all intermediary updates between his version and the current version. Also, KS would be forced to make available all those packages in their website, etc. permanently.
So, they can do a key change but only when there is a major justification for that and, then, everyone will have to go through that update package.